TOMOYO
ForkHello.
Vadim Korschok wrote:
> Maybe you can also describe what patch you've downloaded and how you patched.
# emerge =sys-kernel/hardened-sources-2.6.27-r7
# cd /usr/src/linux
# tar -zxf ~/ccs-patch-1.6.6-20090202.tar.gz
# patch -p1 < patches/ccs-patch-2.6.27-grsecurity-2.1.12-2.6.27.10.diff
# cp ~/config-2.6.27-patched-h7 .config
# emacs Makefile
EXTRAVERSION = -hardened-r7
|
V
EXTRAVERSION = -ccs-hardened-r7
# genkernel --oldconfig all
# ls -l /boot/
-rw-r--r-- 1 root root 1538160 Feb 3 09:28 System.map-genkernel-x86_64-2.6.27-ccs-hardened-r7
lrwxrwxrwx 1 root root 1 Jan 29 16:00 boot -> .
drwxr-xr-x 2 root root 4096 Feb 2 19:10 grub
-rw-r--r-- 1 root root 614888 Feb 3 09:29 initramfs-genkernel-x86_64-2.6.27-ccs-hardened-r7
-rw-r--r-- 1 root root 2577536 Feb 3 09:28 kernel-genkernel-x86_64-2.6.27-ccs-hardened-r7
# emerge pax-utils
# emerge paxctl
# emacs /etc/kvm/kvm-ifup
#!/bin/sh
if [ -x /sbin/brctl ]; then
BRCTL="/sbin/brctl"
elif [ -x /usr/sbin/brctl ]; then
BRCTL="/usr/sbin/brctl"
else
echo "no bridge utils installed"
exit 1
fi
if [ -x /sbin/ip ]; then
switch=( $(/sbin/ip route list | awk '/^default / { sub(/.* dev /, ""); print $1 }') )
switch="br0"
/sbin/ip link set $1 up
else
switch=( $(/bin/netstat -rn | awk '/^0\.0\.0\.0/ { print $NF }') )
switch="br0"
/sbin/ifconfig $1 0.0.0.0 up
fi
[[ ${switch#} -ne "1" ]] && logger -t kvm "$0 found more than one bridge connecting $1 to ${switch}"
${BRCTL} addif ${switch} $1
# reboot
(starting kvm)
# modprobe kvm_intel
# kvm -hda /var/tmp/image.img -boot d -cdrom /var/tmp/livecd-amd64-installer-2008.0-r1.iso -m 512 -net nic,vlan=0,model=e1000 -net tap,vlan=0 -vnc :0
(while running kvm)
# pspax
USER PID PAX MAPS ETYPE NAME CAPS ATTR
root 1 PeMRs w^x ET_DYN init =
root 2367 PeMRs w^x ET_DYN udevd =
root 5581 PeMRs w^x ET_DYN sshd =
root 5649 PeMRs w^x ET_DYN login =
root 5651 PeMRs w^x ET_DYN agetty =
root 5652 PeMRs w^x ET_DYN agetty =
root 5653 PeMRs w^x ET_DYN agetty =
root 5654 PeMRs w^x ET_DYN agetty =
root 5655 PeMRs w^x ET_DYN agetty =
root 5668 PeMRs w^x ET_DYN bash =
root 5685 PeMRs w^x ET_DYN sshd =
root 5691 PeMRs w^x ET_DYN bash =
root 5696 PeMRs w^x ET_DYN kvm =
root 5709 PeMRs w^x ET_DYN pspax =
# paxctl -v /usr/bin/kvm
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pagee****@freem*****>
- PaX flags: -------x-e-- [/usr/bin/kvm]
RANDEXEC is disabled
EMUTRAMP is disabled
(after finished kvm)
# dmesg | tail -n 50
grsec: unmount of /sys by /bin/busybox[umount:2252] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: unmount of proc by /bin/busybox[umount:2253] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: mount of . to / by /bin/busybox[switch_root:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
Calling /sbin/ccs-init to load policy. Please wait.
grsec: mount of none to /proc by /bin/mount[mount:2257] uid/euid:0/0 gid/egid:0/0, parent /sbin/ccs-init[ccs-init:2256] uid/euid:0/0 gid/egid:0/0
Allow mount proc on /proc/ with options 0xE.
Allow mount sysfs on /sys/ with options 0xE.
Allow mount tmpfs on /dev/ with options 0x2.
Allow mount devpts on /dev/pts/ with options 0xA.
Allow remount / with options 0xC00.
Allow mount tmpfs on /dev/shm/ with options 0xE.
Allow mount usbfs on /proc/bus/usb/ with options 0xA.
Allow mount securityfs on /sys/kernel/security/ with options 0xE.
Allow chroot() to /var/empty/
grsec: unmount of none by /bin/umount[umount:2266] uid/euid:0/0 gid/egid:0/0, parent /sbin/ccs-init[ccs-init:2256] uid/euid:0/0 gid/egid:0/0
SAKURA: 1.6.6 2009/02/02
TOMOYO: 1.6.6 2009/02/02
Mandatory Access Control activated.
SAKURA-NOTICE: 'mount proc on /proc/ 0xE' accepted.
grsec: mount of /proc to /proc by /bin/mount[mount:2300] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2299] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount sysfs on /sys/ 0xE' accepted.
grsec: mount of sysfs to /sys by /bin/mount[mount:2314] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2313] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount tmpfs on /dev/ 0x2' accepted.
grsec: mount of udev to /dev by /bin/mount[mount:2351] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2328] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount devpts on /dev/pts/ 0xA' accepted.
grsec: mount of devpts to /dev/pts by /bin/mount[mount:3531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3530] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount -o remount / 0xC00' accepted.
EXT3 FS on hda1, internal journal
grsec: mount of /dev/hda1 to / by /bin/mount[mount:3547] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3535] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount tmpfs on /dev/shm/ 0xE' accepted.
grsec: mount of shm to /dev/shm by /bin/mount[mount:3625] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3622] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount usbfs on /proc/bus/usb/ 0xA' accepted.
grsec: mount of usbfs to /proc/bus/usb by /bin/mount[mount:3633] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3622] uid/euid:0/0 gid/egid:0/0
SAKURA-NOTICE: 'mount securityfs on /sys/kernel/security/ 0xE' accepted.
grsec: mount of securityfs to /sys/kernel/security by /bin/mount[mount:3635] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3622] uid/euid:0/0 gid/egid:0/0
grsec: time set by /sbin/hwclock[hwclock:3651] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3650] uid/euid:0/0 gid/egid:0/0
device eth0 entered promiscuous mode
0000:02:00.0: eth0: Link is Up 100 Mbps Full Duplex, Flow Control: None
0000:02:00.0: eth0: 10/100 speed: disabling TSO
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
device tap0 entered promiscuous mode
br0: port 2(tap0) entering learning state
kvm: 5696: cpu0 unhandled wrmsr: 0xc0010117 data 0
kvm: emulating exchange as write
br0: topology change detected, propagating
br0: port 2(tap0) entering forwarding state
device tap0 left promiscuous mode
br0: port 2(tap0) entering disabled state
Regarding my environment, I see no problem.
By the way, your report had lines
> PAX: kvm:6209, uid/euid: 0/0, attempted to modify kernel code
> BUG: unable to handle kernel paging request at ffffffff8059b040
> IP: [<ffffffffa00394d3>] intel_iommu_found+0x4d3/0x4075 [kvm_intel]
and I received a patch which disables intel_iommu by default.
------- Forwarded Message
From: akpm****@linux*****
To: mm-co****@vger*****
Cc: kyle****@redha*****, dwmw2****@infra*****, jbarn****@virtu*****,markm****@redha*****, stabl****@kerne*****, sures****@intel*****
Subject: + intel_iommu-default-to-off.patch added to -mm tree
Date: Mon, 02 Feb 2009 15:21:34 -0800
The patch titled
intel_iommu: default to off
has been added to the -mm tree. Its filename is
intel_iommu-default-to-off.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: intel_iommu: default to off
From: Kyle McMartin <kyle****@redha*****>
Due to reports of data corruption due to aborted DMA when using the intel
iommu code, disable it by default and provide a command line parameter
"intel_iommu=on" to turn it back on again.
Signed-off-by: Kyle McMartin <kyle****@redha*****>
Cc: Mark McLoughlin <markm****@redha*****>
Cc: Suresh Siddha <sures****@intel*****>
Cc: Jesse Barnes <jbarn****@virtu*****>
Cc: David Woodhouse <dwmw2****@infra*****>
Cc: <stabl****@kerne*****> [2.6.28.x]
Signed-off-by: Andrew Morton <akpm****@linux*****>
---
drivers/pci/intel-iommu.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff -puN drivers/pci/intel-iommu.c~intel_iommu-default-to-off drivers/pci/intel-iommu.c
--- a/drivers/pci/intel-iommu.c~intel_iommu-default-to-off
+++ a/drivers/pci/intel-iommu.c
@@ -268,7 +268,7 @@ static long list_size;
static void domain_remove_dev_info(struct dmar_domain *domain);
-int dmar_disabled;
+int dmar_disabled = 1;
static int __initdata dmar_map_gfx = 1;
static int dmar_forcedac;
static int intel_iommu_strict;
@@ -284,9 +284,12 @@ static int __init intel_iommu_setup(char
if (!str)
return -EINVAL;
while (*str) {
- if (!strncmp(str, "off", 3)) {
+ if (!strncmp(str, "on", 2)) {
+ dmar_disabled = 0;
+ printk(KERN_INFO "Intel-IOMMU: enabled\n");
+ } else if (!strncmp(str, "off", 3)) {
dmar_disabled = 1;
- printk(KERN_INFO"Intel-IOMMU: disabled\n");
+ printk(KERN_INFO "Intel-IOMMU: disabled\n");
} else if (!strncmp(str, "igfx_off", 8)) {
dmar_map_gfx = 0;
printk(KERN_INFO
_
Patches currently in -mm which might be from kyle****@redha***** are
intel_iommu-default-to-off.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to major****@vger*****
More majordomo info at http://vger.kernel.org/majordomo-info.html
------- End of Forwarded Message
> Maybe it's also only occurs on the q35 chipset....
There are postings related to "q35" + "intel_iommu".
http://www.google.co.jp/search?q=q35+intel_iommu
"intel_iommu=off" or "intel_iommu=igfx_off" might help.
Regards.